IETF Logo Mail Archive

Re: [Acme] WGLC for ACME DTN Node ID

Russ Housley <housley@vigilsec.com> Sat, 10 April 2021 15:39 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBF373A1166 for <acme@ietfa.amsl.com>; Sat, 10 Apr 2021 08:39:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UF-qNh5v_1Ql for <acme@ietfa.amsl.com>; Sat, 10 Apr 2021 08:39:00 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C96E3A1164 for <acme@ietf.org>; Sat, 10 Apr 2021 08:39:00 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id E2DF5300BBA for <acme@ietf.org>; Sat, 10 Apr 2021 11:38:57 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id yVgre-MjMIjr for <acme@ietf.org>; Sat, 10 Apr 2021 11:38:56 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id 4E46D300AE5; Sat, 10 Apr 2021 11:38:56 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <5a65599ca9a588e8fa79647364372c52b34b6316.camel@rkf-eng.com>
Date: Sat, 10 Apr 2021 11:38:57 -0400
Cc: IETF ACME <acme@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <3E9C528E-C544-404D-A74B-1DDD4D236A95@vigilsec.com>
References: <5a65599ca9a588e8fa79647364372c52b34b6316.camel@rkf-eng.com>
To: Brian Sipos <BSipos@rkf-eng.com>
X-Mailer: Apple Mail (2.3445.104.17)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/v0vIkY5k8Dm9i-mlKI0pob50zxw>
Subject: Re: [Acme] WGLC for ACME DTN Node ID
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Apr 2021 15:39:06 -0000

These changes resolve my concerns.

Russ

> On Apr 9, 2021, at 5:40 PM, Brian Sipos <BSipos@rkf-eng.com> wrote:
> 
> Russ,
> Thank you for the review comments. My responses are inline with prefix "[BS1]".
> 
>> I think that this document is almost ready.  I have a few comments.
> 
>> MAJOR:
> 
>> Section 4 points to Section 4.4.2 of [I-D.ietf-dtn-tcpclv4]; but that profile does not require the certificate to
> include an EKU of id-kp-bundleSecurity.  When this document is used to verify control over the DTN Node ID, I think the
> issued certificate MUST include an EKU of id-kp-bundleSecurity.  If other means are used to validate other identities,
> then other EKU values might be included as well.
> 
> [BS1] This seems reasonable to require. I suppose the "email-reply-00" document [1] just leaves out any discussion of
> EKU because the preexisting S/MIME documents define a more concrete certificate profile and there is a lot of momentum
> behind S/MIME implementation. I'm going to add statements about the EKU in the CSR and the issued certificate.
> 
>> Section 4.2 is talking about S/MIME certificates.  I think there is a cut-and-paste error here.
> 
> [BS1] Yes, these statements should replace "S/MIME" with "bundle security".
> 
>> MINOR:
> 
>> Section 3.1 says:  "The only over-the-wire data required by ACME for a Challenge Bundle is a nonce token ...".  This
> is the first time that "nonce" appears in the document.  Please reword.
> 
> [BS1] I removed this statement and replaced it with a statement about the token-part2 scope:
> The <token-part2> value included in this object is fixed for the entire challenge, and may correspond with multiple
> separate <token-part1> values when multiple Challenge Bundles are sent for a single validation.
> 
>> Section 3.3 and 3.4: in the beginning of the section, please add a pointer to the document that defines these
> parameters.  I think it is draft-ietf-dtn-bpbis.
> 
> [BS1] That is the correct reference. I am adding a statement at the top of each section.
> 
>> Section 6.1: please provide a reference for "BPSEC key material", and please spell out "BCB".
> 
> [BS1] I removed this speculative text and replaced it with:
> It is possible for intermediate BP nodes to encapsulate-and-encrypt Challenge and/or Response Bundles while they
> traverse untrusted networks, but that is a DTN configuration matter outside of the scope of this document.
> 
>> NITS:
> 
>> Section 1: please spell out BP on first use.
>> Section 2: s/wildcard ("*") character/wildcard character ("*")/
>> Section 6.2:  please spell out "BIB".
> 
> [BS1] I am correcting all of these typos.
> 
> 
> [1] https://tools.ietf.org/html/draft-ietf-acme-email-smime-14
> 
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme

v2.23.0 | Report a Bug | By Email